I am working at an university as research assistant. Often I would like to connect from home to university resources over http or ssh, but they are blocked from outside access. Therefore, they have a front-end ssh server where we can ssh into and from there to other hosts. For http access they advise to set up an ssh tunnel like this

All nice and working, but I would not like to let all my other internet traffic go over this proxy server, and everytime I want to connect to the university I have to do this steps again.

What would I like:

Set up a ssh tunnel everytime I log in my computer. I have a certificate, so no passwords are needed

Have a way to redirect some wildcard-domains always through the ssh-server first. So that when I type intra.university.fi in my browser, transparently the request is going through the tunnel. Same when I want to ssh into another resource within the university

Is this possible? For the http part I think I maybe should set up my own local transparent proxy to have this easily done. How about the ssh part?

Where exactly are you pointing things to port 1234? I don't see that in the example in step 2
–
Peter SmitMar 14 '10 at 19:20

This answer is not perfect yet, but still I accept it as it is the best and the deadline is in an hour. Can you still answer my question above here?
–
Peter SmitMar 15 '10 at 4:40

1

What does the port thing in the hosts file do?
–
janmoesenMar 15 '10 at 21:32

1

You are. Gravely. From man hosts: IP_address canonical_hostname [aliases...]. IMO, this is not an adequate solution.
–
janmoesenMar 19 '10 at 12:15

1

Note that multiple hosts for the same IP address can just be placed on one line, so your example could be rewritten as 127.0.0.1 localhost ubuntu-64-desktop university.fi.
–
Mathias BynensApr 1 '11 at 12:58

Then, go to Firefox's advanced network settings and point it to that file. If succesful, you will see the "PAC loaded" message in your JavaScript console (Ctrl+Shift+J). If you are not using Firefox, remove the "alert" lines.

This is a pretty basic PAC, but it should help you on your way. Mine also looks at IP netmasks to determine internal/external services, etc.

Perhaps you could force the private domains to use the 'proxy' by simply editing the host configuration on your local system. If you manually point all the domains to localhost, and had the tunnel established, wouldn't:

http://privateaccess.tld:1234

Send a request to:

localhost:1234

Which is really a port forward to the internal network proxy server. The request should still be for the same domain, so the proxy server should respond correctly.

Try setting up SOCKS-proxy with ssh (ssh -D <portnumber> publicsshserver.university.fi) and configure your browser to use 127.0.0.1 and <portnumber> as proxy. You can then add domains that it should or shouldn't use the proxy for. For other services (for example vnc) you can use tsocks to make it use your tunnel.

How can I "add domains"? In my browser settings? Opera only supports exclude patterns. How about the ssh connections. How can I set there to use the sox proxy?
–
Peter SmitMar 6 '10 at 13:04

I haven't used Opera so I can't really tell. You could perhaps use tsock for that too. Use "tsocks ssh <sitethatneedtheproxy>" to ssh to sitethatneedstheproxy via your socks proxy.
–
Jimmy HedmanMar 10 '10 at 20:55

Opera still does not support SOCKS proxies, I'm afraid. Ran into this issue earlier this week. It does support PAC, though. See my answer. :-)
–
janmoesenMar 11 '10 at 21:13